Cryptography Reference
In-Depth Information
Next, we will present the
BlindKeyGen
protocol. In [20], a blind IBE was pre-
sented based on the IBE [3]. Since the ABE we give above is an extension of the
IBE [3], the
BlindKeyGen
protocol can also be seemed as a simple extension of
the
BlindExtract
protocol in [20]. Without loss of generality, we assume that the
user is entitled to an attribute set
ω
=
{
a
1
,...,a
t
}
.The
BlindKeyGen
proceeds
as follows.
-
Blind(
ω, pk
)
1.
U
picks a random
r
1
,...,r
t
∈
Z
p
;
2. computes
h
j
=
g
a
j
h
j
g
r
j
,
j
=1
,...,t
;
1
(
r
1
,...,r
t
,a
1
,...,a
t
):
j
=1
h
j
=
g
a
1
h
j
g
r
j
}
3. conducts
PoK
{
.
-
BKeyGen(
sk, h
j
,j
=1
,...,t
)
1.
verifies the proof. If the proof fails, abort;
2. chooses a random
r
KGC
∈
Z
p
;
3. computes
d
0
←
h
j
g
2
,
j
=1
,...,l
;
4. sends
sk
ω
=(
d
0
,d
1
,...,d
t
)to
g
r
,
d
j
←
U
.
-
Unblind(
sk
ω
)
1.
checks that
e
(
g
1
,g
2
)
e
(
d
0
,h
j
)=
e
(
d
j
,g
), for
j
=1
,...,t
;
2. If the check passes, chooses a random
z
U
∈
Z
p
, otherwise, outputs “
⊥
”
and aborts;
3. computes
d
0
←
(
d
j
/d
r
0
)
F
j
(
a
j
)
z
,
j
=1
,...,t
;
4. outputs
sk
ω
=(
d
0
,d
1
,...,d
t
).
d
0
g
z
,
d
j
←
Security.
We will show that the blind ABE above is IND-sAtt-CPA secure by
the following theorems.
Theorem 3.
The blind ABE above is both leak-free and selective-failure blind.
We sketch a proof of theorem 3 in Appendix B.
Theorem 4.
The basic ABE scheme above is IND-sAtt-CPA secure based on
DBDH assumption.
We give a proof of theorem 4 in Appendix B.
5.2 A Concrete Construction for CAC-OT
We will combine the credential signature scheme in [2] with the above blind
ABE to present a concrete CAC-OT scheme. The Pedersen commitment [28]
is also used. The scheme operates on the same group as the blind attribute-
based encryption that we present and the credential signature scheme [2], the
knowledge of the value
can be proved using schnorr's technique [30], and
hence Pedersen commitment scheme is well-suited for the concrete scheme for our
CAC-OT. In the protocol below, the parameters (
H, h
) used for the commitment
scheme can be generated by a trusted party.
D
Search WWH ::
Custom Search